When generating cryptographic keys (or key pairs), it is important to use strong parameters. Key length, for instance, should provide enough
entropy against brute-force attacks.
- For
RSA and DSA algorithms key size should be at least 2048 bits long
- For
ECC (elliptic curve cryptography) algorithms key size should be at least 224 bits long
- For
RSA public key exponent should be at least 65537.
This rule raises an issue when a RSA, DSA or ECC key-pair generator is initialized using weak
parameters.
It supports the following libraries:
Noncompliant Code Example
from cryptography.hazmat.primitives.asymmetric import rsa, ec, dsa
dsa.generate_private_key(key_size=1024, backend=backend) # Noncompliant
rsa.generate_private_key(public_exponent=999, key_size=2048, backend=backend) # Noncompliant
ec.generate_private_key(curve=ec.SECT163R2, backend=backend) # Noncompliant
Compliant Solution
from cryptography.hazmat.primitives.asymmetric import rsa, ec, dsa
dsa.generate_private_key(key_size=2048, backend=backend) # Compliant
rsa.generate_private_key(public_exponent=65537, key_size=2048, backend=backend) # Compliant
ec.generate_private_key(curve=ec.SECT409R1, backend=backend) # Compliant
See
